Techdirt. Stories filed under "ecpa"Easily digestible tech news...https://www.techdirt.com/
en-usTechdirt. Stories filed under "ecpa"https://ii.techdirt.com/s/t/i/td-88x31.gifhttps://www.techdirt.com/Fri, 31 Jul 2015 07:16:25 PDT4th Amendment Lives: Court Tells US Government Get A Warrant If It Wants Mobile Phone Location InfoMike Masnickhttps://www.techdirt.com/articles/20150730/16271931804/4th-amendment-lives-court-tells-us-government-get-warrant-if-it-wants-mobile-phone-location-info.shtml
https://www.techdirt.com/articles/20150730/16271931804/4th-amendment-lives-court-tells-us-government-get-warrant-if-it-wants-mobile-phone-location-info.shtmlget a warrant if it wants to obtain historical location info about certain "target" mobile phones (officially known as "Cell Site Location Info" -- or CSLI). The government sought to use a provision of the Stored Communications Act (a part of ECPA, the Electronic Communications Privacy Act) to demand this info without a warrant -- using a much lower standard: "specific and articulable facts" rather than the all important "probable cause." Judge Koh says that's doesn't pass 4th Amendment muster, relying heavily on the important Supreme Court rulings in the Jones case, involving attaching a GPS device to a car, and the Riley case about searching mobile phones.

Based on the preceding U.S. Supreme Court cases, the following principles are manifest:
(1) an individual’s expectation of privacy is at its pinnacle when government surveillance intrudes
on the home; (2) long-term electronic surveillance by the government implicates an individual’s
expectation of privacy; and (3) location data generated by cell phones, which are ubiquitous in this
day and age, can reveal a wealth of private information about an individual. Applying those
principles to the information sought here by the government, the Court finds that individuals have
an expectation of privacy in the historical CSLI associated with their cell phones, and that such an
expectation is one that society is willing to recognize as reasonable.

This is big. Obviously, the government is likely to appeal, and so as a first pass, this might seem meaningless. We've still got an appeals court (and possibly a rehearing) and a Supreme Court to get to, but as a first ruling, it's a good one. Koh's analysis is pretty thorough. It notes the similarities to both the Jones and Riley cases:

Here, as in Jones, the government seeks permission to track the movement of
individuals—without a warrant—over an extended period of time and by electronic means. CSLI,
like GPS, can provide the government with a “comprehensive record of a person’s public
movements that reflects a wealth of detail about her familial, political, professional, religious, and
sexual associations.” Riley, 134 S. Ct. at 2490 (quoting Jones, 132 S. Ct. at 955 (Sotomayor, J.,
concurring)). With the proliferation of smaller and smaller base stations such as microcells,
picocells, and femtocells—which cover a very specific area, such as one floor of a building, the
waiting room of an office, or a single home, ...—the government is
able to use historical CSLI to track an individual’s past whereabouts with ever increasing
precision. See Riley, 134 S. Ct. at 2490 (explaining that a cell phone’s “[h]istoric location
information . . . can reconstruct someone’s specific movements down to the minute, not only
around town but also within a particular building”). At oral argument, the government agreed that
in some instances CSLI could locate an individual within her home, ... and did not dispute that CSLI will become more precise as the number of cell towers
continues to multiply.... This admission is of constitutional significance because rules
adopted under the Fourth Amendment “must take account of more sophisticated systems that are
already in use or in development.”...

In fact, the information the government seeks here is arguably more invasive of an
individual’s expectation of privacy than the GPS device attached to the defendant’s car in Jones.
This is so for two reasons. First, as the government conceded at the hearing, over the course of
sixty days an individual will invariably enter constitutionally protected areas, such as private
residences.... Tracking a person’s movements inside the home matters for
Fourth Amendment purposes because “private residences are places in which the individual
normally expects privacy free of governmental intrusion not authorized by a warrant, and that
expectation is plainly one that society is prepared to recognize as justifiable.” Karo, 468 U.S. at
714; see also Kyllo, 533 U.S. at 31 (“At the very core of the Fourth Amendment stands the right of
a man to retreat into his own home and there be free from unreasonable governmental intrusion.”
(internal quotation marks omitted)). As one court put it, “Because cellular telephone users tend to
keep their phone on their person or very close by, placing a particular cellular telephone within a
home is essentially the corollary of locating the user within the home.” ....

Second, the government conceded at oral argument that, compared to GPS tracking of a
car, the government will “get more information, more data points, on the cell phone” via historical
CSLI... (“But, yes, of course the person has the phone
more than they have their car, most people at least do, so it gives [the government] more data.”).
Cell phones generate far more location data because, unlike the vehicle in Jones, cell phones
typically accompany the user wherever she goes.... Indeed, according to a survey
cited by the U.S. Supreme Court in Riley, “nearly three-quarters of smart phone users report being
within five feet of their phones most of the time, with 12% admitting that they even use their
phones in the shower.”....

Judge Koh points to some survey data from Pew (sent in by EFF) noting that many, many people consider their location information to be "sensitive information" and, on top of that, the fact that CSLI is generated even if someone turns off the GPS or "location data" features on their phone -- meaning they can't even opt out of generating such information to try to keep it private.

More importantly, Judge Koh takes on the issue of the infamous third party doctrine and the awful Smith v. Maryland precedent, which says you have no expectation of privacy in data held by third parties. To date, the Supreme Court has punted on this issue in the Jones and Riley cases. However, Koh addresses the issue head on, and says the third party doctrine should not apply to phone location data like this. The key issue: in the Smith case, the "information" that was given to the third party was the phone number being dialed. This was information that the caller voluntarily conveyed to the phone company in order to make the call. Judge Koh points out that this information is quite different:

Cell phone users, by contrast, do not “voluntarily convey” their location to the cellular
service provider in the manner contemplated by Miller and Smith. This is especially true when
historical CSLI is generated just because the cell phone is on, such as when cell phone apps are
sending and receiving data in the background or when the cell phone is “pinging” a nearby cell
tower. As the government’s FBI special agent explained, “CSLI for a cellular telephone may still
be generated in the absence of user interaction with a cellular telephone.” .... “For
example,” the special agent continued, CSLI may be generated by “applications that continually
run in the background that send and receive data (e.g. email applications).” ... At oral argument,
the government confirmed that its § 2703(d) application authorizes the government to obtain
historical CSLI generated by such activities.

[....] In so doing, a cell phone
periodically identifies itself to the closest cell tower—not necessarily the closest cell tower
geographically, but the one with the strongest radio signal—as it moves through its network’s
coverage area.... This process, known as “registration” or “pinging,”
facilitates the making and receiving of calls, the sending and receiving of text messages, and the
sending and receiving of cell phone data.... Pinging nearby cell towers is automatic and
occurs whenever the phone is on, without the user’s input or control.... This
sort of pinging happens every seven to nine minutes....

In Miller and Smith, the individual knew with certainty the information that was being
conveyed and the third party to which the conveyance was made. Cell phone users, on the other
hand, enjoy far less certainty with respect to CSLI. CSLI, in contrast to deposit slips or digits on a
telephone, is neither tangible nor visible to a cell phone user. When the telephone user in Smith
received his monthly bill from the phone company, the numbers he dialed would appear.... The CSLI generated by a user’s cell phone makes no such appearance.... Rather, because CSLI is generated automatically whenever a cell tower detects radio
waves from a cell phone, a cell phone user typically does not know that her phone is
communicating with a cell tower, much less the specific cell tower with which her phone is
communicating.... It may be, as the government explained, that a cell phone
connects to “many towers” during the length of a call,... and the tower to which a cell
phone connects is not necessarily the closest one geographically.... Moreover, when
an app on the user’s phone is continually running in the background, ... she may
not be aware that the cell phone in her pocket is generating CSLI in the first place.

And thus, even with the third party doctrine, this information is quite different than that discussed in the Smith v. Maryland case, which involved phone numbers dialed:

In light of the foregoing, the Court concludes that historical CSLI generated via continuously operating apps or automatic pinging does not amount to a voluntary conveyance of
the user’s location twenty-four hours a day for sixty days. Such data, it is clear, may be generated
with far less intent, awareness, or affirmative conduct on the part of the user than what was at
issue in Miller and Smith. Unlike the depositor in Miller who affirmatively conveyed checks and
deposit slips to the bank, or the telephone user in Smith who affirmatively dialed the numbers
recorded by the pen register, a cell phone user may generate historical CSLI simply because her
phone is on and without committing any affirmative act or knowledge that CSLI is being
generated. Smith, for example, never contemplated the disclosure of information while the
landline telephone was not even in use.

This sort of passive generation of CSLI does not amount to a voluntary conveyance under
the third-party doctrine.

Judge Koh notes that this ruling isn't rejecting the ruling in Smith -- rightly noting that only the Supreme Court can determine that it's no longer good law -- but notes that the ruling there is different enough from this one that it does not apply. Ideally, the Supreme Court will get around to rejecting the ridiculous third party doctrine altogether, but if it must stand, a ruling like this is helpful in returning just a bit of 4th Amendment protected privacy to the American public.

Permalink | Comments | Email This Story
]]>look-at-thathttps://www.techdirt.com/comment_rss.php?sid=20150730/16271931804Tue, 28 Jul 2015 11:01:00 PDTWhite House Vaguely Agrees Outdated ECPA Should Be Reformed But Only With An Eye On The Government's 'Interests'Tim Cushinghttps://www.techdirt.com/articles/20150728/07294531773/white-house-vaguely-agrees-outdated-ecpa-should-be-reformed-only-with-eye-governments-interests.shtml
https://www.techdirt.com/articles/20150728/07294531773/white-house-vaguely-agrees-outdated-ecpa-should-be-reformed-only-with-eye-governments-interests.shtml
The Obama administration must be doing a little housecleaning in preparation for the 2016 winner. After months of highly-sporadic and belated responses to We The People petitions, it's answered two big ones (that have been sitting around forever) in a single day. It's also issued a handful of otherresponses to open petitions, some of which are little more than "we decline to respond," accompanied by a link to the site's Terms of Participation.

It took on two big petitions today. The first was a response to a request to pardon Snowden, which it denied under its "No Good Whistleblowing Goes Unpunished" policy. The second asked for a long-delayed rewrite of an outdated law.

The Electronic Communications Privacy Act has been in need of reform for years. If nothing else, the law's misleading name needs to be changed. One of the more notorious aspects of the law is that it gives email less privacy protection than snail mail, which is already an exceedingly low bar.

The administration agrees that reform of this law -- which treats email older than six months as "abandoned" and thus easily-accessible by law enforcement -- is needed. However, it does so both belatedly, vaguely and disingenuously.

It's obvious that many -- and arguably, most -- Americans today use email as one of their primary means of communication. Particularly in an era where we keep so much of our lives online, the content housed there deserves strong privacy protections -- which is at the core of what ECPA was designed to do. But over time, technology has evolved.

Which is why our policy teams agree with you: ECPA is outdated, and it should be reformed.

This is good news. Or it would be if there were any particular plan to get something done. While the response agrees that the outdated law's take on email privacy protection is pretty much terrible, the administration doesn't seem too willing to push for any specific reform effort.

We know there are still important details being worked out across government and in the halls of Congress. We aren't going to endorse a single ECPA-reform bill at this time. As any given bill goes through committee and makes its way to the House and Senate floors, the draft is negotiated and modified to address concerns and strengthen the bill.

In other words, we like the idea of reform so much we're going to do nothing about it. While efforts have been made over the past few years, they've been stalled/gutted to appease law enforcement and (yes, really) regulatory agencies' interests. Very little forward motion has been made and without something stronger than "we'll probably support whatever actually makes its way to the President's desk" propelling this reform, it could still be several more years before the already-outdated law is rewritten to properly address a communication method that originated nearly 45 years ago.

Finally, the response sends a mixed message about reform in the very last sentence.

That said, we're encouraged by the strong bipartisan support for updating this legislation in both chambers of Congress, and are looking forward to seeing this law address today's technological realities while preserving the interests we must protect.

This seems to indicate it will be more supportive of a bill that has the backing law enforcement and other government agencies. A warrant requirement for emails older than six months isn't that much of an imposition, but so far, it's been a tough idea to sell. This last sentence shows the administration finds the government's "interests" worth protection. The privacy interests of millions of Americans? Not so much.

Permalink | Comments | Email This Story
]]>SOMEONE SHOULD REALLY FIX THAT SOMETIMEhttps://www.techdirt.com/comment_rss.php?sid=20150728/07294531773Fri, 17 Apr 2015 19:39:00 PDTSEC Boss Can't Keep Her Story Straight On Whether Or Not SEC Snoops Through Your Emails Without A WarrantMike Masnickhttps://www.techdirt.com/articles/20150415/17062430669/sec-boss-cant-keep-her-story-straight-whether-not-sec-snoops-through-your-emails-without-warrant.shtml
https://www.techdirt.com/articles/20150415/17062430669/sec-boss-cant-keep-her-story-straight-whether-not-sec-snoops-through-your-emails-without-warrant.shtmlECPA reform. ECPA is the Electronic Communications Privacy Act, written in the mid-1980s, which has some frankly bizarre definitions and rules concerning the privacy of electronic information. There are a lot of weird ones but the one we talk about most is that ECPA defines electronic communications that have been on a server for 180 days or more as "abandoned," allowing them to be examined without a warrant and without probable cause as required under the 4th Amendment. That may have made sense in the 1980s when electronic communications tended to be downloaded to local machines (and deleted), but make little sense in an era of cloud computing when the majority of people store their email forever on servers. For the past few years, Congress has proposed reforming ECPA to require an actual warrant for such emails, and there's tremendous Congressional support for this.

And yet... it never seems to pass. The story that we keep hearing is that two government agencies in particular really like ECPA's outdated system: the IRS and the SEC. Since both only have administrative subpoena power, and not the ability to issue warrants like law enforcement, the lower standards of ECPA make it much easier for them to snoop through your emails without having to show probable cause. Last year, in a Congressional hearing, the SEC's boss, Mary Jo White, was questioned about this by Congressman Kevin Yoder, who has been leading the charge on ECPA reform. As we reported at the time, in the conversation, White clearly said that the SEC needed this ability or it would lose "critical" information in its investigations. You can see the conversation from 2014 below, where White (starting around 2:30) explains how vital this process is to the SEC:

Here's the key line:

"What concerns me, as the head of a... law enforcement agency, is that we not put out of reach of lawful process... what is often, sometimes the only, but critical evidence of a serious securities fraud.... And we use that authority quite judiciously, but it's extremely important to law enforcement."

What struck us as interesting last year was White admitting that the SEC appeared to regularly use this process, since she noted that it was "extremely important" and provided "critical evidence."

Fast forward to this week, and the same two players were involved in yet another Congressional hearing. You can
see that conversation here as well, with the critical point being made after about four and a half minutes, where White says some of the same stuff, about the privacy protections, and how even if the SEC used this process it still notifies the subscribers to give them a due process right to protest the subpoena... but also, oddly, seems to claim that the SEC never actually makes use of this process:

Here's the key line this time (the full response is a jumble of half sentences and unfinished thoughts, so it's a bit of a mess):

"While these discussions have been going on, to try to sufficiently balance the privacy and the law enforcement interests, we've not to date to my knowledge proceeded to subpoena the ISPs. But that, I think, is critical authority to be able to maintain -- done in the right way and with sufficient solicitousness and it's very important to the privacy interests which I do think can be balanced.

As I said, if you watch her entire response, it's a complete mess of half-finished thoughts, which seems rather typical of someone trying to sound like they're answering a question but not actually doing so. Later in the same answer, she insists that taking away this authority might take away an important tool.

So, we know that the SEC really wants to keep this tool. But last year it said it was "extremely important" and provided "critical evidence." This year, she's saying that the SEC isn't even using the tool. So, uh, which is it? Is this tool absolutely necessary for critical evidence, or is it not even being used by the SEC?

And, through all of this, the SEC still has not answered the most basic question: why can't it treat email the same way it has to treat paper documents under the 4th Amendment? That is, if it wants the document it can subpoena the end user for those documents. It does not get to route around the end user and subpoena a third party for those documents. So why can't it treat email in the same way?

Permalink | Comments | Email This Story
]]>let's-get-this-straight-now...https://www.techdirt.com/comment_rss.php?sid=20150415/17062430669Thu, 5 Feb 2015 04:06:11 PSTCan Some Internet Memes Finally Get Congress To Pass New Legislation To Protect Your Privacy Online?Mike Masnickhttps://www.techdirt.com/articles/20150204/16525829913/can-some-internet-memes-finally-get-congress-to-pass-new-legislation-to-protect-your-privacy-online.shtml
https://www.techdirt.com/articles/20150204/16525829913/can-some-internet-memes-finally-get-congress-to-pass-new-legislation-to-protect-your-privacy-online.shtmlECPA reform. ECPA -- the Electronic Communications Privacy Act -- is an incredibly outdated piece of legislation from the 1980s that governs law enforcement's ability to access email and other electronic communications. This was the era before the internet was anywhere close to the mainstream (though it did exist). Among the various weird parts of the law, it says that any communication that is over 180 days old and still on a server is considered "abandoned" so that the government can access it without a warrant. Think about that in this era when you keep all your communications online. It was written when lawmakers thought people would "download" the messages off a server. That's just the most noteworthy problem -- there are all sorts of different definitions based on messages that have been opened or not opened and other oddities as well, almost none of which make sense.

Last year we noted that more than half of the House was co-sponsoring a bill put forth by Reps. Kevin Yoder and Jared Polis to reform ECPA in a big way. But even with so many supporting the law, it failed to move. A big hurdle? Both the IRS and SEC (note: not your standard law enforcement agencies) like the fact that they can use ECPA to snoop through electronic communications (without a warrant -- which those agencies can't get on their own anyway).

Yoder and Polis are back again with another attempt, and it's matched by a similar legislation in the Senate from Senators Patrick Leahy and Mike Lee. To get attention for the bill, Yoder, Polis and some other supporters took to Twitter in a bit of a meme fest, highlighting some historical facts to demonstrate just how long it's been since ECPA became law. It's worth scrolling through them all (though, there are a lot), because some are pretty funny:

At this point, it's a complete travesty that such a bill hasn't become law. People have explained the need for it for well over a decade, and more than half of Congress was signed on to co-sponsor it in the last Congressional term. Already this new bill has 228 additional co-sponsors in the House and another 6 co-sponsors in the Senate. The IRS and SEC's objections are simply ridiculous. Having more convenient access to someone's emails is no excuse for not better protecting the privacy of our online communications.

Of course, this isn't the only effort going on to protect privacy. Reps. Zoe Lofgren, Ted Poe and Suzan DelBene have also introduced a bill to update ECPA. It's pretty clear that Congress knows that the law needs to be updated, and it's time to get past whatever objections there are and actually start protecting our privacy.

Permalink | Comments | Email This Story
]]>the-last-time-we-reformed-our-privacy-laws...https://www.techdirt.com/comment_rss.php?sid=20150204/16525829913Tue, 2 Sep 2014 05:54:41 PDTNo, Microsoft Is Not Suddenly 'Defying' A Court Order To Turn Over EmailsMike Masnickhttps://www.techdirt.com/articles/20140831/07361528374/no-microsoft-is-not-suddenly-defying-court-order-to-turn-over-emails.shtml
https://www.techdirt.com/articles/20140831/07361528374/no-microsoft-is-not-suddenly-defying-court-order-to-turn-over-emails.shtmlhand over email data stored in Ireland based on a warrant issued in the US under the (incredibly outdated) Electronic Communications Privacy Act (ECPA). Microsoft, quite reasonably, fought back, pointing out that a warrant only applies within the US and not to foreign countries. The DOJ (and the original judge) claimed that an ECPA warrant isn't really like a warrant at all, but rather a "hybrid warrant/subpoena." But, Microsoft (rightly) points out that this is the DOJ wanting the best of both worlds -- while ignoring the protections of both. Here was the crux of Microsoft's argument:

The Government's interpretation ignores the profound and well established differences between a warrant and a subpoena. A warrant gives the Government the power to seize evidence without notice or affording an opportunity to challenge the seizure in advance. But it requires a specific description (supported by probable cause) of the thing to be seized and the place to be searched and that place must be in the United States. A subpoena duces tecum, on the other hand, does not authorize a search and seizure of the private communications of a third party. Rather. it gives the Government the power to require a person to collect items within her possession, custody, or control, regardless of location, and bring them to court at an appointed time. It also affords the recipient an opportunity to move in advance to quash. Here, the Government wants to exploit the power of a warrant and the sweeping geographic scope of a subpoena, without having to comply with fundamental protections provided by either. There is not a shred of support in the statute or its legislative history for the proposition that Congress intended to allow the Government to mix and match like this. In fact, Congress recognized the basic distinction between a warrant and a subpoena in ECPA when it authorized the Government to obtain certain types of data with a subpoena or a "court order," but required a warrant to obtain a person's most sensitive and constitutionally protected information -- the contents of emails less than 6 months old.

Unfortunately, as we noted at the end of July, the judge in the case, Loretta Preska, sided with the DOJ.

On Friday, Judge Preska did what was basically a procedural move. When she had made the original ruling, she had put a stay on the ruling, fully expecting Microsoft to appeal. This is fairly standard procedure. When a district court judge knows a ruling is likely to be appealed the judge will frequently "stay" the ruling pending the appeal. The DOJ claimed that this was a procedural error and that the particular order, for a whole host of boring legal reasons, is not an "appealable order" and that the stay is inappropriate for that reason. Everyone involved in the case -- the Judge, Microsoft and the DOJ -- knows that it's going to go to an appeal. There's just a very, very minor debate over the correct legal process to get it to appeal. Judge Preska agreed that the original order probably is not appealable, and thus the stay order makes no sense, since it was only pending the appeal. Thus, to speed things along, she lifted the stay, noting quite clearly that this was to help along the appeal process:

Both parties share the common goal of permitting the Court of Appeals to hear this case as soon as possible. Their disagreement concerns the correct path to that goal. In order words, the parties agree on the destination but the route to get there is the subject of hot dispute.

Basically, this was a very minor move to push things onto the proper legal track to get this case before the appeals court. Because the original order isn't technically appealable, the stay didn't make any sense, so the Judge removed it, with everyone knowing that Microsoft won't hand over the info, leading the Judge to issue a different ruling that can be appealed. I saw the news on Friday and realized it wasn't worth writing about, because it's basically nothing.

However, a few sites appear to have totally misread this into being a big deal. If you don't read carefully, seeing that a judge lifted a stay suggests that Microsoft is being forced to hand over the info. But anyone who actually read any of the details (including the decision and/or the Reuters report that broke the news) should have known that wasn't actually the case. Microsoft then said the most obvious thing in the world: that it wasn't handing over the info, because it hasn't done that all along and this is what it needs to do to get the case to appeal. But a bunch of sites misread the whole thing as if Microsoft was somehow taking a new stand, rather than just procedurally moving things forward. A site called WindowsITPro wrote up that Microsoft was now "defying" a court order and this somehow proved it was a heroic company, fighting for its customers:

Despite a federal court order directing Microsoft to turn overseas-held email data to federal authorities, the software giant said Friday it will continue to withhold that information as it waits for the case to wind through the appeals process. The judge has now ordered both Microsoft and federal prosecutors to advise her how to proceed by next Friday, September 5.

Let there be no doubt that Microsoft's actions in this controversial case are customer-centric. The firm isn't just standing up to the US government on moral principles. It's now defying a federal court order.

They did this, even though in the very next paragraph the Microsoft statement itself points out that this is nothing more than a procedural issue. Unfortunately, sites like Slashdot also picked up on the WindowsITPro story and repeated the misleading headline.

Yes, Microsoft is trying to protect its customers' email data (held in Ireland) in this case. And yes, it's an important case. But Microsoft (and a variety of other tech companies that filed amicus briefs in support of Microsoft's position) took that stand months ago. What happened on Friday was a minor procedural effort to move the case along, and didn't represent any big new "heroic" move by Microsoft to "defy" a court order. Nothing to see here, move on. The appeals court is where this case will actually get interesting.

Permalink | Comments | Email This Story
]]>that's not how this workshttps://www.techdirt.com/comment_rss.php?sid=20140831/07361528374Mon, 18 Aug 2014 07:47:00 PDTRon Wyden: It's Time To Kill The Third Party Doctrine And Go Back To Respecting PrivacyMike Masnickhttps://www.techdirt.com/articles/20140816/06282828233/ron-wyden-its-time-to-kill-third-party-doctrine-go-back-to-respecting-privacy.shtml
https://www.techdirt.com/articles/20140816/06282828233/ron-wyden-its-time-to-kill-third-party-doctrine-go-back-to-respecting-privacy.shtmlthe third party doctrine and its troubling implications for the 4th Amendment and your privacy -- especially in the digital era. If you're unfamiliar with it, the third party doctrine is the concept used by law enforcement (and, tragically, the courts) to say that you have no expectation of privacy or 4th Amendment rights in information you've given to a third party. The origins of this argument are not completely crazy, because there is a legitimate claim to the idea that if I entrust you with some private information, and you decide to disclose it, that my 4th Amendment rights haven't been violated. But that assumes a very different world. In today's digital world -- especially with cloud computing -- we "entrust" all sorts of information to third parties even though we still think of and treat that information like it's our own personal effects. These aren't cases in which I'm handing over a collection of journals to my neighbor to hold onto. Online services are treated as our own content -- which we can access, update and modify at any time from any device.

While the Supreme Court's recent decision in the Riley/Wurie cases suggests that it is becoming increasingly uncomfortable with law enforcement twisting old concepts onto new technologies to eviscerate privacy, the third party doctrine technically still stands -- and there has been little real discussion of it in Congress.

So it's good to see that Senator Ron Wyden is actually speaking out about why the third party doctrine needs to go. The speech is a good one, talking about oppressive governments and surveillance, and the rise of technology -- and how our laws have not kept pace when it comes to protecting our privacy against government intrusion. Then he digs in on the third party doctrine, noting that it was established by "judges who did not fully understand 20th Century technology, much less anticipate the technology we have today" and that it makes little sense considering the way we use technology today:

Some will still argue that by sharing data freely with Facebook, Google, Mint, Uber, Twitter, Fitbit, or
Instagram, Americans are choosing to make that data public. But that is simply not the case. I might not
have any expectation of privacy when I post a handsome new profile picture on Facebook, or when I send
out a tweet to tell people I’ll be at the Tech Northwest conference. But when I send an email to my wife,
or store a document in the cloud so I can review it later, my service provider and I have an agreement that
my information will stay private. Neither of us have invited the government to have a peek. Basically, I
think sharing this information with Google is like putting property in a safety deposit box, but the
government thinks I’m posting it on a billboard out on I-5.

Citizens have agreed to a contract with Google or Mint that keeps their email or financial data private. In
many cases these companies don’t even know what information they’re holding for you. Making
information available to a service provider for a limited business purpose - so that they can give you a
new app, or provide targeted ads, or do any other kind of business with you - is simply not the same as
broadcasting that information to the public. In the view of the law this data should be as secure to your
person as if it were sitting in a locked filing cabinet in your home office.

So how about fixing it? Well, he says, it needs to start by reforming the laws that cover the intelligence community, preventing them from bulk collection of the data you've handed to third parties.

I believe that any serious effort to reform this law needs to end the bulk collection of Americans’ personal
information, starting with their phone records. I have been challenging this program for years on the
grounds that isn’t just harmless old metadata. Furthermore, I believe that Congress needs to reform the
Foreign Intelligence Surveillance Court, to make it more transparent and to include an advocate for the
American people. Additionally, there needs to be much greater transparency from intelligence agencies
about the scale and scope of domestic surveillance activities, and private companies should be given the
ability to disclose much more information about requests they receive from the government. Most of all,
Congress must close the loophole that intelligence agencies are currently using to read a significant
number of Americans’ communications without a warrant.

But that's just the start. He calls out Executive Order 12333, which we've been discussing lately. That's the Ronald Reagan-signed executive order that lets the NSA collect whatever the hell it wants outside of the US. As was recently revealed, this program, which has no Congressional or Judicial oversight, is really the core program that the NSA uses. All the domestic spying under Section 215 and 702? That's just to "fill in the gaps." Wyden thinks its time that EO 12333 got reviewed and reformed:

The next step will be to seriously examine collection that is done overseas. When
the Foreign Intelligence Surveillance Act was written in the late 1970s, it was written to only apply to
collection done inside the United States. But that was back in an era when each country essentially had
its own separate communications infrastructure.

Now those separate systems have been replaced by an integrated global communications network, in
which calls and emails within one country might be routed through multiple different countries. When
you combine that shift with new technology that makes it much easier to obtain large amounts of data, it
no longer makes sense to assume that collection done overseas will not sweep up the communications of
large numbers of law-abiding Americans.

This means that the rules that govern collection overseas will need to be substantially revised. These are
governed by something called Executive Order twelve-triple-three, which is more than 30 years old and
predates this sea-change in global communications. I was encouraged a few weeks ago when the Senate
Intelligence Committee recognized this fact, and voted to advance a bill that would begin to establish
some firmer rules in this area.

Finally, he talks about the need for ECPA reform -- another thing we've been discussing for years. ECPA is the 1986 Electronic Communications Privacy Act which is so woefully out-of-date, it's not even funny. It's the one that assumes if any communication is sitting on a server for more than 180 days, then it's "abandoned." Go look at how many emails in your Gmail account are over 180 days old... Even though more than half of the House is co-sponsoring an ECPA reform bill, law enforcement folks are protesting it, because they like the easy access. The DOJ loves to go on fishing expeditions with ECPA, as does the SEC and the IRS. Wyden says it's time for real reform.

There's much more that can be done, some of which he refers to in his speech, but it would be nice if Congress finally realized just how truly dangerous the third party doctrine is to our privacy.

Permalink | Comments | Email This Story
]]>make-it-sohttps://www.techdirt.com/comment_rss.php?sid=20140816/06282828233Thu, 31 Jul 2014 15:28:49 PDTCourt Says Who Cares If Ireland Is Another Country, Of Course DOJ Can Use A Warrant To Demand Microsoft Cough Up Your EmailsMike Masnickhttps://www.techdirt.com/articles/20140731/15051528076/court-says-who-cares-if-ireland-is-another-country-course-doj-can-use-warrant-to-demand-microsoft-cough-up-your-emails.shtml
https://www.techdirt.com/articles/20140731/15051528076/court-says-who-cares-if-ireland-is-another-country-course-doj-can-use-warrant-to-demand-microsoft-cough-up-your-emails.shtmlruled against Microsoft in a rather important case concerning the powers of the Justice Department to go fishing for information in other countries -- and what it means for privacy laws in those countries. As you may recall, back in April, we wrote about a magistrate judge first ruling that the DOJ could issue a warrant demanding email data that Microsoft held overseas, on servers in Dublin, Ireland. Microsoft challenged that, pointing out that you can't issue a warrant in another country. However, the magistrate judge said that this "warrant" wasn't really a "warrant" but a "hybrid warrant/subpoena." That is when the DOJ wanted it to be like a warrant, it was. When it wanted it to be like a subpoena, it was.

Microsoft fought back, noting that the distinction between a warrant and a subpoena is a rather important one. And you can't just say "hey, sure that's a warrant, but we'll pretend it's a subpoena." As Microsoft noted:

This interpretation not only blatantly rewrites the statute, it reads out of the Fourth Amendment the bedrock requirement that the Government must specify the place to be searched with particularity, effectively amending the Constitution for searches of communications held digitally. It would also authorize the Government (including state and local governments) to violate the territorial integrity of sovereign nations and circumvent the commitments made by the United States in mutual legal assistance treaties expressly designed to facilitate cross-border criminal investigations. If this is what Congress intended, it would have made its intent clear in the statute. But the language and the logic of the statute, as well as its legislative history, show that Congress used the word "warrant" in ECPA to mean "warrant," and not some super-powerful "hybrid subpoena." And Congress used the term "warrant" expecting that the Government would be bound by all the inherent limitations of warrants, including the limitation that warrants may not be issued to obtain evidence located in the territory of another sovereign nation.

The Government's interpretation ignores the profound and well established differences between a warrant and a subpoena. A warrant gives the Government the power to seize evidence without notice or affording an opportunity to challenge the seizure in advance. But it requires a specific description (supported by probable cause) of the thing to be seized and the place to be searched and that place must be in the United States. A subpoena duces tecum, on the other hand, does not authorize a search and seizure of the private communications of a third party. Rather. it gives the Government the power to require a person to collect items within her possession, custody, or control, regardless of location, and bring them to court at an appointed time. It also affords the recipient an opportunity to move in advance to quash. Here, the Government wants to exploit the power of a warrant and the sweeping geographic scope of a subpoena, without having to comply with fundamental protections provided by either. There is not a shred of support in the statute or its legislative history for the proposition that Congress intended to allow the Government to mix and match like this. In fact, Congress recognized the basic distinction between a warrant and a subpoena in ECPA when it authorized the Government to obtain certain types of data with a subpoena or a "court order," but required a warrant to obtain a person's most sensitive and constitutionally protected information -- the contents of emails less than 6 months old.

The DOJ hit back earlier this month by basically saying, "yeah, whatever, let's pretend it's a subpoena and give us what we want already."

Overseas records must be disclosed domestically when a valid subpoena, order, or warrant compels their production. The disclosure of records under such circumstances has never been considered tantamount to a physical search under Fourth Amendment principles, and Microsoft is mistaken to argue that the SCA provides for an overseas search here. As there is no overseas search or seizure, Microsoft’s reliance on principles of extra-territoriality and comity falls wide of the mark.

Unfortunately, it appears that the judge just went with the DOJ's reasoning -- though, immediately stayed the ruling since Microsoft made it clear it plans to appeal. Judge Loretta Preska basically just upheld the magistrate judge's ruling that Microsoft could, in fact, be compelled to hand over data held overseas via a warrant under ECPA, the Electronic Communications and Privacy Act (which we've already noted has tremendous problems and needs to be reformed).

Beyond the problems this has for the 4th Amendment in the US, it's also going to create a mess in Europe, where they have much stricter data privacy rules, and where something like ECPA is clearly a problem. For the US to argue that it can make ECPA reach across the ocean into European servers is going to be a big problem -- especially at a time when Europeans are (rightfully) distrustful of the US government's ability to snoop on their data.

Permalink | Comments | Email This Story
]]>say-what-now?https://www.techdirt.com/comment_rss.php?sid=20140731/15051528076Wed, 16 Jul 2014 15:29:39 PDTDOJ Tells Court That Of Course It Can Go On A Fishing Expedition Globally For Emails Microsoft Stores OverseasMike Masnickhttps://www.techdirt.com/articles/20140715/18204627886/doj-tells-court-that-course-it-can-go-fishing-expedition-globally-emails-microsoft-stores-overseas.shtml
https://www.techdirt.com/articles/20140715/18204627886/doj-tells-court-that-course-it-can-go-fishing-expedition-globally-emails-microsoft-stores-overseas.shtmlchallenging the DOJ's attempt to use the outdated Electronic Communications Privacy Act (ECPA) to go fishing for emails held overseas. As Microsoft rightly noted, a warrant does not apply overseas. A magistrate judge tried to dance around this, saying that a warrant under ECPA is really kinda like a subpoena. But Microsoft points out how insane that is:

This interpretation not only blatantly rewrites the statute, it reads out of the Fourth Amendment the bedrock requirement that the Government must specify the place to be searched with particularity, effectively amending the Constitution for searches of communications held digitally. It would also authorize the Government (including state and local governments) to violate the territorial integrity of sovereign nations and circumvent the commitments made by the United States in mutual legal assistance treaties expressly designed to facilitate cross-border criminal investigations. If this is what Congress intended, it would have made its intent clear in the statute. But the language and the logic of the statute, as well as its legislative history, show that Congress used the word "warrant" in ECPA to mean "warrant," and not some super-powerful "hybrid subpoena." And Congress used the term "warrant" expecting that the Government would be bound by all the inherent limitations of warrants, including the limitation that warrants may not be issued to obtain evidence located in the territory of another sovereign nation.

Overseas records must be disclosed domestically when a valid subpoena, order, or warrant compels their production. The disclosure of records under such circumstances has never been considered tantamount to a physical search under Fourth Amendment principles, and Microsoft is mistaken to argue that the SCA provides for an overseas search here. As there is no overseas search or seizure, Microsoft’s reliance on principles of extra-territoriality and comity falls wide of the mark.

A bunch of tech and telco companies have all jumped into the case on Microsoft's side as well, noting that the DOJ's argument would almost certainly violate data privacy laws in other countries, not to mention piss off governments around the globe. The crux of the argument, as per usual with the DOJ, is that when it wants data, it will twist and twist and twist the laws to enable it to get access to as much data as possible, with as little scrutiny as possible. This is just one of many reasons why we need serious ECPA reform -- such that it actually respects the 4th Amendment. But, in this case, it would be nice to have a judge realize that even under such an outdated law, the DOJ's interpretation is simply out of line.

Permalink | Comments | Email This Story
]]>because-we're-the-us-gov't-dammithttps://www.techdirt.com/comment_rss.php?sid=20140715/18204627886Wed, 18 Jun 2014 12:07:19 PDTMore Than Half Of The House Co-Sponsoring Email Privacy Reform; So Why Isn't It Moving?Mike Masnickhttps://www.techdirt.com/articles/20140618/06573127610/more-than-half-house-co-sponsoring-email-privacy-reform-so-why-isnt-it-moving.shtml
https://www.techdirt.com/articles/20140618/06573127610/more-than-half-house-co-sponsoring-email-privacy-reform-so-why-isnt-it-moving.shtmlECPA reform. ECPA -- the Electronic Communications Privacy Act -- is woefully outdated. Passed in the 1980s, when the internet was just a small network that connected a few universities, it has allowed law enforcement and other government officials to snoop on your email based on some very outdated definitions and assumptions. As we've discussed in the past, one very obvious example, is the idea that, under the law, emails stored on a server for over 180 days are considered "abandoned" and that there's no need to get a warrant to view those emails. Of course, that was back when people expected old emails to be either deleted or downloaded. No one predicted "cloud" computing with virtually unlimited storage.

For years now, there's been a major effort at ECPA reform, to actually make sure that law enforcement needs a warrant to view your emails. It has had strong support in Congress for some time, but the main folks fighting against it are the SEC and the IRS, who like the fact that they can search through your emails without a warrant. In fact, the SEC seems to revel in its ability to do some very questionable things, in part thanks to ECPA.

Earlier this week, the main ECPA reform bill in the House, sponsored by Reps. Kevin Yoder and Jared Polis, hit a new milestone: it currently has 218 co-sponsors, meaning that more than half of the House now has their name on the bill. And yet, the bill is still stalled out, because House leadership has been scared off by the SEC and IRS. Hopefully, the House will finally move forward on this bill.

And while Yoder notes in that article that the NSA revelations have actually helped give this bill momentum, it's important to note that this is separate from the NSA reform issue. ECPA reform is unrelated to the NSA stuff, but covers what other government agencies can do with your email. Both are important issues, but it would be great to finally get basic ECPA reform through. This is a fight that's been going on for over a decade, and with more than half the House supporting it, how much longer can Congressional leadership ignore it?

Permalink | Comments | Email This Story
]]>ecpa-reform-nowhttps://www.techdirt.com/comment_rss.php?sid=20140618/06573127610Wed, 11 Jun 2014 10:59:37 PDTMicrosoft Challenges Idea That US Government Can Go Fishing For Emails Stored Outside The USMike Masnickhttps://www.techdirt.com/articles/20140611/06210727545/microsoft-challenges-idea-that-us-government-can-go-fishing-emails-stored-outside-us.shtml
https://www.techdirt.com/articles/20140611/06210727545/microsoft-challenges-idea-that-us-government-can-go-fishing-emails-stored-outside-us.shtmlhad to comply with a warrant asking for data that was held on servers in Dublin. Microsoft argued, quite reasonably, that a US warrant doesn't apply outside of the US. Unfortunately, magistrate judge James Francis disagreed, saying that while it's true that traditional warrants only apply inside the US, this is different because it's "digital." He argued that because the issue was about information, rather than physical property, it could be considered more like a subpoena than a warrant. As we noted, Microsoft made it clear that it would challenge this ruling, and now it has done so, arguing that the ruling flies in the face of the law and the Constitution. This summary from Microsoft's filing is pretty clear on what an incredibly big deal this is, with the government basically seeking to get the best of a subpoena and a warrant without any of the protections and limits required of either:

The Magistrate Judge issued a warrant under the Electronic Communications Privacy Act ("ECPA")
that on its face, purports to authorize the Government to search any and all of Microsoft's facilities worldwide. Microsoft moved to vacate the warrant because the private email
communications the Government seeks are located in a Microsoft facility in Dublin, Ireland and
because Congress has not authorized the issuance of warrants that reach outside U.S. territory.
The Government cannot seek and a court cannot issue a warrant allowing federal agents to break
down the doors of Microsoft's Dublin facility. Likewise, the Government cannot conscript Microsoft to do what it has no authority itself to do -- i.e., execute a warranted search abroad. To
end-run these points. the Government argues, and the Magistrate Judge held, that the warrant required by ECPA is not a "warrant" at all. They assert that Congress did not mean "warrant"
when using that term, but instead meant some previously unheard of "hybrid" between a warrant
and subpoena duces tecum. The Government takes the extraordinary position that by merely
serving such a warrant on any U.S.-based email provider, it has the right to obtain the private
emails of any subscriber, no matter where in the world the data may be located. and without the
knowledge or consent of the subscriber or the relevant foreign government where the data is
stored.

This interpretation not only blatantly rewrites the statute, it reads out of the Fourth
Amendment the bedrock requirement that the Government must specify the place to be searched
with particularity, effectively amending the Constitution for searches of communications held
digitally. It would also authorize the Government (including state and local governments) to violate the territorial integrity of sovereign nations and circumvent the commitments made by the United States in mutual legal assistance treaties expressly designed to facilitate cross-border
criminal investigations. If this is what Congress intended, it would have made its intent clear in
the statute. But the language and the logic of the statute, as well as its legislative history, show
that Congress used the word "warrant" in ECPA to mean "warrant," and not some super-powerful "hybrid subpoena." And Congress used the term "warrant" expecting that the Government would be bound by all the inherent limitations of warrants, including the limitation that
warrants may not be issued to obtain evidence located in the territory of another sovereign nation.

The Government's interpretation ignores the profound and well established differences
between a warrant and a subpoena. A warrant gives the Government the power to seize evidence
without notice or affording an opportunity to challenge the seizure in advance. But it requires a
specific description (supported by probable cause) of the thing to be seized and the place to be
searched and that place must be in the United States. A subpoena duces tecum, on the other
hand, does not authorize a search and seizure of the private communications of a third party. Rather. it gives the Government the power to require a person to collect items within her possession, custody, or control, regardless of location, and bring them to court at an appointed time. It also affords the recipient an opportunity to move in advance to quash. Here, the Government
wants to exploit the power of a warrant and the sweeping geographic scope of a subpoena, without having to comply with fundamental protections provided by either. There is not a shred of support in the statute or its legislative history for the proposition that Congress intended to allow the Government to mix and match like this. In fact, Congress recognized the basic distinction
between a warrant and a subpoena in ECPA when it authorized the Government to obtain certain
types of data with a subpoena or a "court order," but required a warrant to obtain a person's most
sensitive and constitutionally protected information -- the contents of emails less than 6 months
old.

Verizon has stepped in as well, pointing out that if the original ruling is allowed to stand, it could have significant negative impact on the ability of US businesses to get non-US users to trust them -- an increasingly important issue in light of the Snowden revelations.

The magistrate’s ruling, if left standing, could cost U.S. businesses billions of dollars in lost
revenue, undermine international agreements and understandings, and prompt foreign
governments to retaliate by forcing foreign affiliates of American companies to turn over the
content of customer data stored in the United States.

The recent revelations about U.S. intelligence practices have heightened foreign
sensitivities about the U.S. government’s access to data abroad, generated distrust of U.S.
companies by foreign officials and customers, and led to calls to cease doing business with U.S.
communications and cloud service providers. Studies have estimated that this distrust will result
in tens of billions of dollars in lost business over the next few years. The magistrate’s ruling, if
left standing, will dramatically increase the harm to American businesses. It would mean that
foreign customers’ communications and other stored data would be available to hundreds or
thousands of federal, state, and local law enforcement agencies, regardless of the laws of the
countries where the data is held. Foreign customers will respond by moving their business to
foreign companies without a presence in the United States.

If you hadn't figured it out by now, this case is going to have tremendously important ramifications for privacy around the globe.

Permalink | Comments | Email This Story
]]>going-to-be-an-important-fighthttps://www.techdirt.com/comment_rss.php?sid=20140611/06210727545Wed, 28 May 2014 10:00:28 PDTCan Senator Leahy Actually Get Anything Done To Help With Civil Liberties And Innovation?Mike Masnickhttps://www.techdirt.com/articles/20140524/06495527354/can-senator-leahy-actually-get-anything-done-to-help-with-civil-liberties-innovation.shtml
https://www.techdirt.com/articles/20140524/06495527354/can-senator-leahy-actually-get-anything-done-to-help-with-civil-liberties-innovation.shtml
But over and over again, it seems that charge is... to go nowhere.

Politico has a story about how last week was a disaster for the tech industry in Washington DC. For all the talk about how Silicon Valley has been flexing its lobbying power, patent reform was killed, a good NSA reform bill was replaced with a bad one (leading the tech industry to pull its support) and the fight for immigration reform went the way it normally does -- nowhere beyond people yelling at each other.

But what I found even more interesting is just how powerless the "powerful" Senator seems to be on so many of these issues. Leahy has been the leading Senate voice for ECPA reform (requiring a warrant to search your electronic data) for years -- and it has pretty widespread support. And yet, he's unable to get it to move forward because the the SEC and IRS want to be able to read emails without a warrant. Really?

Similarly, for over a decade, Leahy has been the point person on patent reform in the Senate, promising to finally reform the system to stop abusive patents. The bill he finally got through in 2011 did absolutely nothing after it was watered down and watered down and watered down some more. And this year, when it looked like there might finally be a bill with at least a little (not nearly enough) progress towards stifling abusive patent practices, he got completely shut down by the trial lawyers and Harry Reid.

And, now we're basically relying on Senator Leahy to fix the NSA reform package. He introduced the companion to the USA Freedom Act in the Senate, and many in the tech and civil liberties communities are hopeful that Leahy will stand firm in actually reforming the NSA. And while he's been saying all the right things about reforming the NSA, given his track record, you have to start to wonder: can this super powerful Senator actually get this done right?

Yes, getting anything done in Congress is a pretty difficult process these days (perhaps for good reason). But we keep hearing about how Senator Leahy is so powerful and such a friend to innovation and civil liberties. But over the past few years, it's been a lot of tough talk, and nothing ever seems to actually get done. It really begins to make you wonder if he's such a "friend" to these communities after all.

Permalink | Comments | Email This Story
]]>weakest-'powerful'-senatorhttps://www.techdirt.com/comment_rss.php?sid=20140524/06495527354Mon, 7 Apr 2014 14:30:53 PDTSEC Is A Due Process Nightmare: Searches Emails Without A Warrant, Refuses To Share Exculpatory EvidenceMike Masnickhttps://www.techdirt.com/articles/20140404/22161026807/sec-is-due-process-nightmare-searches-emails-without-warrant-refuses-to-share-exculpatory-evidence.shtml
https://www.techdirt.com/articles/20140404/22161026807/sec-is-due-process-nightmare-searches-emails-without-warrant-refuses-to-share-exculpatory-evidence.shtmlECPA reform by noting that one of the main government agencies fighting against it was the SEC, which wanted the ability to snoop through your emails without getting a warrant. If you don't remember, ECPA is an excessively outdated law from 1986, whose definitions make no sense in the internet era (especially one with cloud computing). The key example often given is that emails on a server that are over 180 days old are considered "abandoned" and thus no warrant is needed to access them. That may have kind of made sense in an era when people downloaded all of their email, but now that nearly all email remains on servers somewhere it makes no sense at all. There are other problems with ECPA similar in nature (opened vs. unopened emails are treated differently, for example), but it's clear the law is outdated.

Two stories popped up last week that raise serious concerns about the way that the SEC tramples on the Constitution. The first is that in a hearing, SEC boss Mary Jo White was asked why the SEC is so resistant to ECPA reform and what's wrong with getting a warrant, and more or less admitted that it's standard practice for the SEC to not get a warrant, but to rely on loopholes in ECPA to get access to emails. Prior to this, many had assumed that this was just a desire of the SEC, not that they were regularly doing it. But White's answer makes it clear that the SEC views this practice -- which seems like it should be a clear 4th Amendment violations -- as standard operating procedure.

While she insists that the privacy issues aren't a huge deal, because the SEC tries to "give notice" to the subscriber whose email is being accessed, that still doesn't explain why paper documents require a warrant, and yet the SEC doesn't bother with the much higher standard (including judicial review) of a warrant for electronic documents.

Meanwhile, concerning a separate issue, Mark Cuban and his lawyer published an op-ed in the Wall Street Journal last week, discussing the SEC's totally bogus case against him for insider trading, which got tossed out by a lawyer. The key issue they discussed is how the SEC had exculpatory evidence that proved Cuban had done no wrong from back in 2004 -- and then did everything possible to avoid turning over that evidence, as is normally required in legal proceedings.

In a criminal trial, the federal government has long been obliged to promptly turn over to the defense any evidence that could show that the accused did not commit the offense of which he is accused. The Brady rule (announced in the 1963 Supreme Court case, Brady v. Maryland), prevents one-sided prosecutions in which the defendant is kept in the dark about information that might show that he is innocent.

The government's job as criminal prosecutor is not to obtain convictions, but "to do justice," according to the traditional legal maxim. It should be required to follow the Brady rule in civil trials as well. But the SEC does not, even when it accuses a citizen of fraud. Had the agency complied with this simple rule in its recent insider-trading case against one of us, Mark Cuban, it is unlikely that a lawsuit would even have been filed, let alone go to trial.

At issue were notes the SEC had concerning the details of Cuban's conversation with the CEO of Mamma.com, the search engine Cuban had invested in (and then sold all his shares in), which showed that, contrary to the SEC's claims in the case against him, Cuban had never made certain promises. When Cuban and his lawyer asked for these notes, the SEC resisted.

The SEC, however, resisted the disclosure of these notes for the next three years. Even up until the time Mr. Cuban took the stand, the SEC continued to fight to keep the notes from being shown to the jury by asking the judge to exclude them from evidence. Fortunately, the judge disagreed and the jury ultimately cleared Mr. Cuban of a charge of insider trading.

So, reading both of these stories, we see that the SEC feels that it is free to ignore both the 4th Amendment (against search and seizure without a warrant) and the 14th Amendment (concerning due process). Don't we think that agencies of the federal government should be required to follow the Constitution -- especially basic concepts like protecting the privacy of individuals and giving them basic due process? And, for those of you who think this is no big deal, because it's the SEC, and the SEC just goes after big bad bankers and the like, recognize that the agency following right behind the SEC in fighting ECPA reform is the IRS. Do you feel it's similarly okay for the IRS to search your emails and electronic records without a warrant while also believing that it need not share any of the exculpatory evidence it finds, proving your innocence, while bringing a case against you for violating the law?

Oh, and just for the hell of it, let's take this a step further. Just a few weeks ago, the NY Times reported on an increasingly popular tactic of law enforcement to effectively use the SEC to trick people into effectively implicating themselves in criminal cases. It tells the story of a low-level guy who worked at a law firm, and was asked by the SEC to "help out" with an investigation. Only at the last minute, was it mentioned that someone from the district attorney's office would be present -- and at no time was there any indication that the guy was being investigated for criminal behavior. But thanks to the SEC smokescreen, the guy was indicted, and he's still not sure why.

So, now it's an SEC that ignores the Constitution, searches emails without a warrant, hides exculpatory evidence and surreptitiously uses these "investigations" to help build out criminal charges against people on a highly questionable basis. See the problem, yet?

The folks over at VanishingRights.com are fighting to reform ECPA, which would at least solve half of the problem above. Right now, the SEC and the IRS remain the main government agencies aligned against such reform. It's time to tell those agencies that they need to obey the Constitution too.

Permalink | Comments | Email This Story
]]>the-sec-doesn't-like-the-constitutionhttps://www.techdirt.com/comment_rss.php?sid=20140404/22161026807Thu, 12 Dec 2013 14:02:47 PSTECPA Reform Petition Passes 100K Signature Threshold With A Last-Minute SurgeTim Cushinghttps://www.techdirt.com/articles/20131212/08533525546/ecpa-reform-petition-passes-100k-signature-threshold-with-last-minute-surge.shtml
https://www.techdirt.com/articles/20131212/08533525546/ecpa-reform-petition-passes-100k-signature-threshold-with-last-minute-surge.shtml
The We the People petition to reform the ECPA in order to give email the same Fourth Amendment protection that snail mail enjoys narrowly passed the 100K signature threshold needed to (theoretically) prompt a response from the administration.

The last-minute push to hit the mark was impressive. Reminded by the post here yesterday that I hadn't actually signed the petition yet, I went and remedied that around 5 pm (CST) yesterday evening. At that point, it looked as though the petition would be an also-ran, having only gathered about 78,000 signatures with just a few hours remaining.

One would hope this one does prompt a serious response. The only reason this law hasn't been updated is because treating email 180 days old or older as "abandoned" cuts down on the requirements law enforcement and investigative agencies need to meet to access it. These entities obviously benefit heavily from the clearly outdated law and have no interest in seeing this convenient loophole in Fourth Amendment protection closed. The administration has long defended our nation's intelligence and investigative agencies, so it may have little interest in making their jobs "harder." On the other hand, this support has seen a marked decline over the past few weeks, and there are indications that some in the White House really do want to fix this, so there may be some hope yet.

On the plus side, The Hill reports that the DOJ has already weighed in on this topic.

At a House hearing in March, Elana Tyrangiel, the acting assistant attorney general for the Justice Department's Office of Legal Policy, agreed that updating ECPA has "considerable merit."

"We agree, for example, that there is no principled basis to treat email less than 180 days old differently than email more than 180 days old," she said "Similarly, it makes sense that the statute not accord lesser protection to opened emails than it gives to emails that are unopened."

This step in the right direction was unfortunately tempered by a massive step backward.

But she urged lawmakers to exempt civil regulatory investigations from the warrant requirement. She explained that regulators investigate conduct that is unlawful, but not necessarily criminal. She argued that because regulators often do not have access to the warrant power, the requirement would impede critical government investigations.

This "exemption" basically defeats the entire purpose of ECPA reform, and in some ways, makes things worse. It takes a little loophole in the law, which came about because of changes in technology, then widens it and puts a giant stamp of approval on it. It goes from a little loophole that violates the 4th Amendment to a big official law that violates the 4th Amendment.

On top of that, frankly, I'm of the opinion that government investigations could use a few more impediments. And it's not as if regulators can't compel production of email through subpoenas. Just because they're not pursuing criminal charges doesn't mean they're completely out of options. When you're looking to close a loophole, it's hardly beneficial to create a giant open door in its place. Civil regulatory agencies should treat the email it seeks like it does any other document. If it can't just seize these because an arbitrary amount of time has passed, then it shouldn't be able to do so with email. The rules need to be standardized, not undermined by exceptions and justifications.

Permalink | Comments | Email This Story
]]>and-now-we-wait...https://www.techdirt.com/comment_rss.php?sid=20131212/08533525546Wed, 11 Dec 2013 11:51:00 PSTIf You're An American Who Believes In The 4th Amendment, You Have No Excuse Not To Sign This PetitionMike Masnickhttps://www.techdirt.com/articles/20131211/00403525528/irs-wants-ability-to-snoop-through-your-emails-without-warrant-speak-up-now-to-block-this.shtml
https://www.techdirt.com/articles/20131211/00403525528/irs-wants-ability-to-snoop-through-your-emails-without-warrant-speak-up-now-to-block-this.shtmlECPA reform, to bring a woefully out of date law into the 21st century. Specifically, we've urged people to sign this White House petition in favor of ECPA reform. That petition closes soon, and it's still a bit short of the 100,00 goal.

Why is this important to you? Because, without it, it's much easier for the government to snoop on your emails without a warrant. What people want is for emails and regular mail to be treated the same, which is simply not the case today.

While this is a separate issue from the NSA stuff, it does matter quite a bit, and this is a chance for there to be a real win that helps protect your privacy. Fighting against this proposal are a variety of government agencies, led by the IRS and the SEC, which have made good use of this loophole to read emails without getting a warrant. This is not what the law was intended for at all. It's a loophole based on the outdated law, which was written in 1986, before anyone could comprehend things like web-based email. The IRS and SEC like having this loophole, and they don't want it to go away. In fact, they want it to be made explicit, rather than an accidental loophole of history. That should be a massive affront to folks who believe in the 4th Amendment and the basic concept that a search should require a warrant based upon probable cause.

I know that many people have dismissed the whole concept of White House petitions, and take a rather cynical view of the whole thing. That's a very dangerous approach here, only helping to further the problems:

Yes, it's true that the White House has ignored certain petitions in the past. It's also true that there are certain issues where the White House doesn't really seem to care what people have to say, it's made up its mind.

But, that is not always the case, and the White House has used these petitions to take strong positions in the past -- including on things like SOPA and mobile phone unlocking. When accompanied by a strong campaign beyond just the petition, the White House seems open to taking certain issues more seriously. This is one of those.

By all indications, there are some in the White House who agree that ECPA is out of date and needs to be fixed. There appears to be an internal debate about where the official White House position will be -- whether it's siding with the IRS and SEC -- or with the 4th Amendment rights of the public. Having a ton of signatures from the American public on their side will absolutely help those in the White House who support real and meaningful ECPA reform push back against the agencies.

This isn't an empty gesture. There are bills in the House and Senate to fix ECPA, close the loopholes and protect your 4th Amendment rights. Getting White House support could finally push those bills over the edge and make them law.

Sticking with the cynical approach and refusing to sign guarantees failure. Not signing works to the advantage of the IRS and SEC and others who like using this loophole. Even if you're cynical about this, signing the petition at least gives it a chance to influence the debate.

And, yes, I know that outside of the general debate over ECPA, people will look at the NSA situation and argue that it doesn't really matter what the law says. That's not true. Yes, the NSA issue is a big one that needs to be dealt with, but this is about a loophole that goes way beyond the NSA, and is used and abused by different government and law enforcement agencies. Here's a real chance to push back on that and to score a real victory for privacy. Letting cynicism and apathy dictate your move here guarantees that the forces pushing against your 4th Amendment rights win. So take a chance and sign the petition.

Permalink | Comments | Email This Story
]]>don't-let-it-continuehttps://www.techdirt.com/comment_rss.php?sid=20131211/00403525528Thu, 5 Dec 2013 10:01:26 PSTThe IRS And SEC Want To Snoop Through Your Email Without A Warrant; Don't Let ThemMike Masnickhttps://www.techdirt.com/articles/20131205/09442825467/irs-sec-want-to-snoop-through-your-email-without-warrant-dont-let-them.shtml
https://www.techdirt.com/articles/20131205/09442825467/irs-sec-want-to-snoop-through-your-email-without-warrant-dont-let-them.shtmlECPA reform -- which is the incredibly outdated "electronic communications privacy act" which actually makes sure that you have less privacy than other forms of communication. This isn't necessarily on purpose, but because the law was written in the mid-1980s when email itself was a relatively new concept. It includes some bizarre distinctions between opened and unopened emails and if a message has been "left on a server" for more than 180 days (at which point it's considered "abandoned" and not subject to a warrant). Obviously it never anticipated the kind of internet we have today. It also goes against basic 4th Amendment principles and treats electronic messages differently from physical messages.

There actually is a fair bit of support in both Congress and the White House to fix this... if we can get enough public support behind it, which includes getting more people to sign this petition. As with SOPA, there's a strong suggestion that if this petition tips the scales at 100,000, we can get the White House to come out in favor of ECPA reform.

What's standing in the way? Well, a bunch of government agencies, honestly. There are the obvious ones like the DOJ and DHS. That's to be expected. They always want to make it easier to snoop through emails and written communications. But apparently some of the strongest voices trying to block ECPA reform within the government are coming from the SEC and the IRS, because they too see plenty of advantages in trying to snoop through emails without having to take the trouble of getting a warrant.

As I write this, I'm participating in a Reddit AMA (Ask Me Anything) with Chris Calabrese from the ACLU, Mark Stanley from the Center for Democracy and Technology and Julian Sanchez from the Cato Institute. This coincides with a day of action involving a bunch of companies and organizations trying to get more people to speak out on the importance of ECPA reform. And, finally, the folks at TechFreedom have put together a great infographic, which we've also embedded below.

Permalink | Comments | Email This Story
]]>speak-up,-fix-ecpahttps://www.techdirt.com/comment_rss.php?sid=20131205/09442825467Wed, 20 Nov 2013 19:35:54 PSTTell The Government That It Needs To Get A Warrant If It Wants To Read Your EmailMike Masnickhttps://www.techdirt.com/articles/20131120/17144925314/tell-white-house-that-it-should-get-warrant-if-it-wants-to-read-your-email.shtml
https://www.techdirt.com/articles/20131120/17144925314/tell-white-house-that-it-should-get-warrant-if-it-wants-to-read-your-email.shtml
There's a simple way to fix all this: reform ECPA to protect private data and say that law enforcement needs to get a warrant to view that information. This is not a difficult requirement, and yet law enforcement has been fighting hard against it for quite some time. Back in September, we noted that if Congress really wants to protect online privacy, beyond just the NSA stuff a good first start would be comprehensive ECPA reform.

But the NSA’s not the only problem. An outdated law says the IRS and hundreds of other agencies can read our communications without a warrant.

That law, known as the Electronic Communications Privacy Act (ECPA), was written over 25 years ago, before the services we use today even existed.

Right now, several bills in Congress would fix this by updating ECPA to require a warrant, but regulatory bodies are blocking reform in order to gain new powers of warrantless access.

We call on the Obama Administration to support ECPA reform and to reject any special rules that would force online service providers to disclose our email without a warrant.

While many are (perhaps reasonably) skeptical about the "We the People" petitions, they have been shown to be effective tools in getting the White House to take a position on important issues. And, while the DOJ is against this kind of ECPA reform, that's not to say that others in the White House couldn't be convinced to go the other way if they really believe there are enough people in support of such a program. So, check out the petition and let the White House know that it should fix the law so that if law enforcement wants your data, it needs to get a warrant.

Permalink | Comments | Email This Story
]]>they're-not-getting-the-messagehttps://www.techdirt.com/comment_rss.php?sid=20131120/17144925314Wed, 18 Sep 2013 15:17:08 PDTNow Is The Time To Reform Outdated Electronic Privacy LawsMike Masnickhttps://www.techdirt.com/articles/20130918/11122024570/now-is-time-to-reform-outdated-electronic-privacy-laws.shtml
https://www.techdirt.com/articles/20130918/11122024570/now-is-time-to-reform-outdated-electronic-privacy-laws.shtmlECPA reform. ECPA is the Electronic Communications Privacy Act, which was passed in 1986. As you can imagine, it's exceptionally outdated and convoluted (such as claiming that any emails on a server for more than 180 days should be considered "abandoned" and available for law enforcement to read -- a concept that makes no sense in an era of hosted email with tremendous storage). ECPA is regularly abused by law enforcement agencies seeking information on Americans. This goes well beyond what the NSA is doing in many ways. There's been support in Congress in the past for ECPA reform, but it's never quite made it.

A large group of organizations and companies -- including us at Floor64/Techdirt, along with (among others) EFF, Center for Democracy and Technology, Free Press, Fight for the Future, Demand Progress, ACLU, Engine Advocacy, CCIA, American Library Association, reddit, DuckDuckGo and more -- have teamed up to create VanishingRights.com, to push for a much needed update to ECPA's outdated rules. Instead, we'd like to see a return to basic 4th Amendment ideas like requiring a warrant to search for info. Sounds crazy, I know, but we're in an age where we actually have to tell Congress that it's time to respect the Constitution, because they seem to forget about it all too often.

The latest proposal to support ECPA reform, called the Email Privacy Act, or HR 1852, was introduced by Rep. Kevin Yoder and has 137 co-sponsors -- so it has significant support in Congress. But it needs more support if it's actually going to pass in this do-nothing Congress that we have.

Please check out the site, where you can let your elected officials that ECPA needs to be reformed, and that it should respect the basic tenets of the 4th Amendment. You can also read more about ECPA, why it's broken, and what it means for your privacy.

Permalink | Comments | Email This Story
]]>vanishing-rightshttps://www.techdirt.com/comment_rss.php?sid=20130918/11122024570Thu, 9 May 2013 07:51:54 PDTFBI Still Doesn't Think It Needs A Warrant To Read Your Email, Despite Court Ruling To The ContraryMike Masnickhttps://www.techdirt.com/articles/20130508/11523523006/fbi-still-doesnt-think-it-needs-warrant-to-read-your-email-despite-court-ruling-to-contrary.shtml
https://www.techdirt.com/articles/20130508/11523523006/fbi-still-doesnt-think-it-needs-warrant-to-read-your-email-despite-court-ruling-to-contrary.shtmldoesn't believe in getting a warrant -- leading to the IRS promising to change that policy. Now they've received some documents from the FBI in response to a FOIA request that again suggest that, despite the ruling in US v. Warshak, in which the 6th Circuit said that a warrant is needed to compel an ISP to turn over emails, the FBI believes it can access emails older than 180 days without a warrant, under ECPA. As we've discussed at length, ECPA (the Electronic Communications Privacy Act) is a very outdated piece of legislation which considers emails on a server over 180 days to be "abandoned" because no one considered a cloud computing future.

What the ACLU found in these documents is that the FBI hasn't updated its Domestic Investigations and Operations Guide (DIOG) in response to the Warshak ruling, and it still suggests that agents can easily access such emails without a warrant. Instead, it says:

In enacting the ECPA, Congress concluded that customers may not retain a “reasonable expectation of privacy” in information sent to network providers. . . [I]f the contents of an unopened message are kept beyond six months or stored on behalf of the customer after the e-mail has been received or opened, it should be treated the same as a business record in the hands of a third party, such as an accountant or attorney. In that case, the government may subpoena the records from the third party without running afoul of either the Fourth or Fifth Amendment.

That's a... charitable interpretation of reality. That's what Congress felt back then, but based on a very different network setup. However, as the courts noted in Warshak, the 4th Amendment is still important and still rules.

The ACLU also asked different US Attorney's offices for their guidelines, and found that policies differed greatly based on location. Northern Illinois, for example, seemed to recognize the 4th Amendment. But others, including in Texas, still seem to think that no warrant is required. As the ACLU notes, this hodgepodge of rules and the fact that the FBI hasn't changed its guidelines in response to Warshak just highlights the need for comprehensive ECPA reform.

If nothing else, these records show that federal policy around access to the contents of our electronic communications is in a state of chaos. The FBI, the Executive Office for U.S. Attorneys, and DOJ Criminal Division should clarify whether they believe warrants are required across the board when accessing people’s email. It has been clear since 1877 that the government needs a warrant to read letters sent via postal mail. The government should formally amend its policies to require law enforcement agents to obtain warrants when seeking the contents of all emails too.

More importantly, Congress also needs to reform ECPA to make clear that a warrant is required for access to all electronic communications. Reform legislation is making its way through the Senate now, and the documents released by the U.S. Attorney in Illinois illustrate that the law can be fixed without harming law enforcement goals. If you agree that your email and other electronic communications should be private, you can urge Congress to take action here.

Permalink | Comments | Email This Story
]]>of-course-nothttps://www.techdirt.com/comment_rss.php?sid=20130508/11523523006Thu, 25 Apr 2013 07:30:15 PDTSenate Judiciary Committee Votes That Accessing Your Email Should Require A WarrantMike Masnickhttps://www.techdirt.com/articles/20130425/07212222831/senate-judiciary-committee-votes-that-accessing-your-email-should-require-warrant.shtml
https://www.techdirt.com/articles/20130425/07212222831/senate-judiciary-committee-votes-that-accessing-your-email-should-require-warrant.shtmlapproved an amendment offered by Senators Patrick Leahy and Mike Lee, which would amend the law to make it so that law enforcement needs to get a warrant if it's accessing your email. As we've discussed in the past, the ECPA today is completely outdated, and treats different emails differently -- but a key point is that emails over 180 days old don't require a warrant, just a subpoena, because the law mistakenly judges them to be abandoned. The Amendment was approved by a voice vote, meaning that there was pretty strong support for it. The Leahy-Lee plan is definitely a necessary step in protecting privacy of emails, and while Leahy especially has been pushing it for a while, seeing strong support in the Senate is a good sign for (hopefully) having it become law.

Permalink | Comments | Email This Story
]]>good-for-themhttps://www.techdirt.com/comment_rss.php?sid=20130425/07212222831Thu, 11 Apr 2013 11:40:00 PDTIRS Investigators See No Need For A Warrant To Snoop On EmailsMike Masnickhttps://www.techdirt.com/articles/20130411/01260522676/irs-investigators-see-no-need-warrant-to-snoop-emails.shtml
https://www.techdirt.com/articles/20130411/01260522676/irs-investigators-see-no-need-warrant-to-snoop-emails.shtml247 pages of records (which don't fully answer the questions asked), the ACLU has noted that the documents suggest that the IRS likely read private emails regularly without obtaining a warrant. In their blog post, they note that in the US v. Warshak case, the 6th Circuit made it clear that the government must get a warrant to turn over emails, and it seems clear that the IRS had to change its policy because of that.

The documents the ACLU obtained make clear that, before Warshak, it was the policy of the IRS to read people’s email without getting a warrant. Not only that, but the IRS believed that the Fourth Amendment did not apply to email at all. A 2009 “Search Warrant Handbook” from the IRS Criminal Tax Division’s Office of Chief Counsel baldly asserts that “the Fourth Amendment does not protect communications held in electronic storage, such as email messages stored on a server, because internet users do not have a reasonable expectation of privacy in such communications.” Again in 2010, a presentation by the IRS Office of Chief Counsel asserts that the “4th Amendment Does Not Protect Emails Stored on Server” and there is “No Privacy Expectation” in those emails.

Other older documents corroborate that the IRS did not get warrants across the board. For example, the 2009 edition of the Internal Revenue Manual (the official compilation of IRS policies and procedures) explains that “the government may obtain the contents of electronic communication that has been in storage for more than 180 days” without a warrant.

Of course, the IRS is not alone in this. That's the same way other government agencies have treated email thanks to the outdated nature of ECPA, the Electronic Communications Privacy Act, a law written nearly 30 years ago, which assumed that any content left on a server for over 180 days was "abandoned," because the idea of online messaging systems was foreign to folks in Congress at the time.

The bigger question, though, is whether or not the IRS paid attention to the ruling in Warshak and started getting warrants. As the ACLU notes, while not entirely clear, the answer is likely "no."

Then came Warshak, decided on December 14, 2010. The key question our FOIA request seeks to answer is whether the IRS’s policy changed after Warshak, which should have put the agency on notice that the Fourth Amendment does in fact protect the contents of emails. The first indication of the IRS’s position, from an email exchangein mid-January 2011, does not bode well. In an email titled “US v. Warshak,” an employee of the IRS Criminal Investigation unit asks two lawyers in the IRS Criminal Tax Division whether Warshak will have any effect on the IRS’s work. A Special Counsel in the Criminal Tax Division replies: “I have not heard anything related to this opinion. We have always taken the position that a warrant is necessary when retrieving e-mails that are less than 180 days old.” But that’s just the ECPA standard. The real question is whether the IRS is obtaining warrants for emails more than 180 days old. Shortly after Warshak, apparently it still was not

The IRS had an opportunity to officially reconsider its position when it issued edits to the Internal Revenue Manual in March 2011. But its policy stayed the same: the Manual explained that under ECPA, “Investigators can obtain everything in an account except for unopened e-mail or voice mail stored with a provider for 180 days or less using a [relevant-and-material-standard] court order” instead of a warrant. Again, no suggestion that the Fourth Amendment might require more.

As the ACLU notes, the IRS owes the American public a clear explanation of its view on warrants... and it should put in place a clear warrant requirement before snooping through emails.

Permalink | Comments | Email This Story
]]>time-for-an-audit-of-aclu-folkshttps://www.techdirt.com/comment_rss.php?sid=20130411/01260522676Mon, 1 Apr 2013 03:50:22 PDTUS Government's Failure To Protect Public Privacy Is Driving Business OverseasMike Masnickhttps://www.techdirt.com/articles/20130328/03042922491/us-governments-failure-to-protect-public-privacy-is-driving-business-overseas.shtml
https://www.techdirt.com/articles/20130328/03042922491/us-governments-failure-to-protect-public-privacy-is-driving-business-overseas.shtmlactively be driving business outside of the US to foreign countries that have stricter privacy laws that actually protect data from government snooping.

Many foreign companies are converging toward a common argument for why they’re better than their American competitors. It’s not that the foreign-made technology is better, more resilient, or more ubiquitous, nor that the foreign companies are more innovative or better managed. They compare not their businessmen but their politicians. They argue simply that American laws undermine any American product — that these laws fail to protect privacy of personal or business information of all users. This argument works partly because consumers claim to “avoid doing business” with companies they don’t trust to protect their privacy.

Basically, because law enforcement believes it needs to build a much bigger haystack as it searches for needles, we're handing other countries a key selling point in setting up services to compete with US services: "you can't trust any service based in the US, because it's subject to government surveillance." That may be a bit of an exaggeration, but I know I've see a number of companies lately who advertise the fact that they're not based in the US to suggest that they're more secure and can keep your data private. This is not the reputation the US needs or wants right now.

Permalink | Comments | Email This Story
]]>all-for-what?https://www.techdirt.com/comment_rss.php?sid=20130328/03042922491Wed, 20 Mar 2013 11:06:11 PDTRep. Gohmert's Record For Stunning Technological Ignorance Is Broken By... Rep. GohmertMike Masnickhttps://www.techdirt.com/articles/20130320/03244622387/rep-gohmerts-record-stunning-technological-ignorance-is-broken-rep-gohmert.shtml
https://www.techdirt.com/articles/20130320/03244622387/rep-gohmerts-record-stunning-technological-ignorance-is-broken-rep-gohmert.shtmlexchange with lawyer Orin Kerr during a Congressional hearing concerning "hacking" and the CFAA. In that discussion, Gohmert spoke out in favor of being able to "hack back" and destroy the computers of hackers -- and grew indignant at the mere suggestion that this might have unintended consequences or lead people to attack the wrong targets. Gohmert thought that such talk was just Kerr trying to protect hackers.

I thought perhaps Rep. Gohmert was just having a bad day. Maybe he's having a bad month. In a different hearing, held yesterday concerning ECPA reform, Gohmert opened his mouth again, and it was even worse. Much, much worse. Cringe-inducingly clueless. Yell at your screen clueless. Watch for yourself, but be prepared to want to yell.

The short version of this is that he seems to think that when Google has advertisements on Gmail, that's the same thing as selling all of the information in your email to advertisers. And no matter how many times Google's lawyer politely tries to explain the difference, Gohmert doesn't get it. He thinks he's making a point -- smirking the whole time -- that what Google does is somehow the equivalent of government snooping, in that he keeps asking if Google can just "sell" access to everyone's email to the government. I'm going to post a transcript below, and because I simply cannot not interject how ridiculously uninformed Gohmert's line of questioning is, I'm going to interject in the transcript as appropriate.

Rep. Gohmert: I was curious. Doesn't Google sell information acquired from emails to different vendors so that they can target certain individuals with their promotions?

Google lawyer whose name I didn't catch: Uh, no, we don't sell email content. We do have a system -- similar to the system we have for scanning for spam and malware -- that can identify what type of ads are most relevant to serve on email messages. It's an automated process. There's no human interaction. Certainly, the email is not sold to anybody or disclosed.

Gohmert: So how do these other vendors get our emails and think that we may be interested in the products they're selling.

Okay, already we're off to a great start in monumental ignorance. The initial question was based on a complete falsehood -- that Google sells such information -- and after the lawyer told him that this is not true, Gohmert completely ignores that and still asks how they get the emails. It never seems to occur to him that they don't get the emails.

Google lawyer: They don't actually get your email. What they're able to do is through our advertising business be able to identify keywords that they would like to trigger the display of one of their ads, but they don't get information about who the user is or any...

Gohmert: Well that brings me back. So they get information about keywords in our emails that they use to decide who to send promotions to, albeit automatically done. Correct?

NO. Not correct. In fact, that's the exact opposite of what the lawyer just said. Gohmert can't seem to comprehend that Google placing targeted ads next to emails has NOTHING to do with sending any information back to the advertiser. I wonder, when Rep. Gohmert turns on his television to watch the evening news, does he think that the TV station is sending his name, address, channel watching info, etc. back to advertisers? That's not how it works. At all. The advertisers state where they want their ads to appear, and Google's system figures out where to place the ads. At no point does any information from email accounts go back to anyone. And yet Gohmert keeps asking.

And not understanding the rather basic answers. Unfortunately, the lawyer tries to actually explain reality to Gohmert in a professional and detailed manner, when it seems clear that the proper way to answer his questions is in shorter, simpler sentences such as: "No, that's 100% incorrect."

Lawyer: The email context is used to identify what ads are most relevant to the user...

Gohmert: And do they pay for the right or the contractual ability to target those individuals who use those keywords?

Lawyer: I might phrase that slightly differently, but the gist is correct, that advertisers are able to bid for the placement of advertisements to users, where our system has detected might be interested in the advertisement.

Gohmert: Okay, so what would prevent the federal government from making a deal with Google, so they could also "Scroogle" people, and say "I want to know everyone who has ever used the term 'Benghazi'" or "I want everyone who's ever used... a certain term." Would you discriminate against the government, or would you allow the government to know about all emails that included those words?

Okay, try not to hit your head on your desk after that exchange. First, he (perhaps accidentally) gets a statement more or less correct, that advertisers pay to have their ads show up, but immediately follows that up with something completely unrelated to that. First, he tosses in "Scroogled" -- a term that Microsoft uses in its advertising against Gmail and in favor of Outlook.com -- suggesting exactly where this "line" of questioning may have originated. Tip to Microsoft lobbyists, by the way: if you want to put Google on the hot seat, it might help to try a line of questioning that actually makes sense.

Then, the second part, you just have to say huh? The lawyer already explained, repeatedly, that Google doesn't send any information back to the advertiser, and yet he's trying to suggest that the government snooping through your email is the same thing... and Google somehow not giving the government that info is Google "discriminating" against the government? What? Really?

Lawyer [confounded look] Uh... sir, I think those are apples and oranges. I think the disclosure of the identity...

Gohmert: I'm not asking for a fruit comparison. I'm just asking would you be willing to make that deal with the government? The same one you do with private advertisers, so that the government would know which emails are using which words.

Seriously? I recognize that there are no requirements on intelligence to get elected to Congress, but is there anyone who honestly could not comprehend what he meant by saying it's "apples and oranges"? But, clearly he does not understand that because not only does he mock the analogy, he then repeats the same question in which he insists -- despite the multiple explanations that state the exact opposite -- that advertisers get access to emails and information about email users, and that the government should be able to do the same thing.

Lawyer: Thank you, sir. I meant by that, that it isn't the same deal that's being suggested there.

Gohmert: But I'm asking specifically if the same type of deal could be made by the federal government? [some pointless rant about US government videos aired overseas that is completely irrelevant and which it wasn't worth transcribing] But if that same government will spend tens of thousands to do a commercial, they might, under some hare-brained idea like to do a deal to get all the email addresses that use certain words. Couldn't they make that same kind of deal that private advertisers do?

Holy crap. Gohmert, for the fourth time already, nobody gets email addresses. No private business gets the email addresses. No private business gets to see inside of anyone's email. Seeing inside someone's email has nothing to do with buying ads in email. If the government wants to "do the same deal as private advertisers" then yes it can advertise on Gmail... and it still won't get the email addresses or any other information about emailers, because at no point does Google advertising work that way.

Lawyer: We would not honor a request from the government for such a...

Gohmert: So you would discriminate against the government if they tried to do what your private advertisers do?

No. No. No. No. No. The lawyer already told you half a dozen times, no. The government can do exactly what private advertisers do, which is buy ads. And, just like private advertisers, they would get back no email addresses or any such information.

Lawyer: I don't think that describes what private advertisers...

Gohmert: Okay, does anybody here have any -- obviously, you're doing a good job protecting your employer -- but does anybody have any proposed legislation that would assist us in what we're doing?

What are we doing, here? Because it certainly seems like you're making one of the most ignorant arguments ever to come out of an elected officials' mouth, and that's saying quite a bit. You keep saying "private advertisers get A" when the reality is that private advertisers get nothing of the sort -- and then you ignore that (over and over and over and over again) and then say "well if private advertisers get A, why can't the government get A." The answer is because neither of them get A and never have.

Gohmert: I would be very interested in any phrase, any clauses, any items that we might add to legislation, or take from existing legislation, to help us deal with this problem. Because I am very interested and very concerned about our privacy and our email.

If you were either interested or concerned then you would know that no such information goes back to advertisers before you stepped into the room (hell, before you got elected, really). But, even if you were ignorant of that fact before the hearing, the fact that the lawyer tried half a dozen times, in a half a dozen different ways to tell you that the information is not shared should have educated you on that fact. So I'm "very interested" in what sort of "language" Gohmert is going to try to add to legislation that deals with a non-existent problem that he insists is real.

Gohmert: And just so the simpletons that sometimes write for the Huffington Post understand, I don't want the government to have all that information.

Rep. Sensenbrenner: For the point of personal privilege, my son writes for the Huffington Post.

Gohmert: Well then maybe he's not one of the simpletons I was referring to.

Sensenbrenner: He does have a Phd.

Gohmert: Well, you can still be a PHUL.

Har, har, har... wait, what? So much insanity to unpack. First of all, Gohmert seems to think that people will be making fun of him for suggesting that the government should "buy" access to your email on Google. And, yes, we will make fun of that, but not for the reasons that he thinks they will. No one thinks that Gohmert seriously wants the government to buy access to information on Google. What everyone's laughing (or cringing) at is the idea that anyone could buy that info, because you can't. No private advertiser. No government. It's just not possible.

But, I guess we're all just "simpletons."

Seriously, however, we as citizens deserve better politicians. No one expects politicians to necessarily understand every aspect of technology, but there are some simple concepts that you should at least be able to grasp when explained to you repeatedly by experts. When a politician repeatedly demonstrates no ability to comprehend a rather basic concept -- and to then granstand on their own ignorance -- it's time to find better politicians. Quickly.

Permalink | Comments | Email This Story
]]>having quite a weekhttps://www.techdirt.com/comment_rss.php?sid=20130320/03244622387Tue, 19 Mar 2013 15:24:28 PDTPatrick Leahy Introduces Legislation (Yet Again) To Require Government Warrants To Get Your Electronic InfoMike Masnickhttps://www.techdirt.com/articles/20130319/14590722380/patrick-leahy-introduces-legislation-yet-again-to-require-government-warrants-to-get-your-electronic-info.shtml
https://www.techdirt.com/articles/20130319/14590722380/patrick-leahy-introduces-legislation-yet-again-to-require-government-warrants-to-get-your-electronic-info.shtmlintroduced a plan to reform ECPA. Like the CFAA, ECPA is an extremely troubling and outdated piece of legislation where Congress tried to deal with "those computer things" back in the 1980s in a manner that just doesn't make any sense today. Mainly it has opened up massive loopholes for the US government to access your data with little to no oversight (for example, the law considers messages on a server for over 180 days to be "abandoned" and thus fair game for law enforcement, as it never considered the idea of cloud storage). Senator Leahy would like to update the law to protect our privacy, such that law enforcement would actually be required to get a warrant.

If all of this sounds familiar, you wouldn't be wrong. We've been discussing it forever. Leahy keeps introducing bills and they never seem to turn into law. Law enforcement has been his main antagonist on this, though the DOJ (somewhat surprisingly) appeared to concede today that ECPA needs significant reform, even calling out the 180 day issue explicitly in testimony before the Judiciary Committee:

Many have noted—and we agree—that some of the lines drawn by the SCA that may have made sense in the past have failed to keep up with the development of technology, and the ways in which individuals and companies use, and increasingly rely on, electronic and stored communications. We agree, for example, that there is no principled basis to treat email less than 180 days old differently than email more than 180 days old. Similarly, it makes sense that the statute not accord lesser protection to opened emails than it gives to emails that are unopened.

That said, the DOJ is likely to push back on significant parts of any ECPA reform effort, to make sure it still has the ability to trawl through as much data as possible. Much of the testimony seems to warn of a parade of horribles that could occur if (*gasp*!) it has to get warrants for everything.

Permalink | Comments | Email This Story
]]>dc-just-keeps-doing-remakeshttps://www.techdirt.com/comment_rss.php?sid=20130319/14590722380Fri, 8 Mar 2013 15:06:02 PSTCongress Tries, Yet Again, To Fix Outdated Electronic Privacy LawsMike Masnickhttps://www.techdirt.com/articles/20130307/01490322235/congress-tries-yet-again-to-fix-outdated-electronic-privacy-laws.shtml
https://www.techdirt.com/articles/20130307/01490322235/congress-tries-yet-again-to-fix-outdated-electronic-privacy-laws.shtmlECPA reform for ages. In case you haven't been following this, ECPA is an incredibly outdated law concerning the privacy of electronic communications. As it stands now, thanks to some oddities in the law, the government can often access your online data with little oversight (among the many oddities in the bill, it considers emails on a server for more than 180 days "abandoned" and accessible by the government without a warrant). While many politicians in Congress claim that they're in favor of ECPA reform, little ever seems to happen with it. Late last year it had looked like a deal might have been worked out whereby Congress would approve strong ECPA reform that would respect the privacy of our data, in exchange for also reforming privacy laws concerning video rental data (basically a favor to Netflix and Facebook).

Law enforcement, as always, flipped out about the ECPA reform bit, and at the very, very end of Congress, the video rental reform stuff passed while ECPA reform was left on the cutting room floor.

This week, however, ECPA reform has been brought back once again, this time in the House, by Rep. Zoe Lofgren, along with Reps. Ted Poe and Suzan DelBene. The proposed bill, called The Online Communications and Geolocation Protection Act, is embedded below. It's a strong bill, meaning law enforcement folks are likely to flip out again. Among the reforms, it would set up a clear and consistent standard for requiring a warrant for government access to electronics communication. That is, it will get rid of the hodge podge of ECPA rules that change based on how old the communications are, if it's been opened, if it's a draft, etc. Now, we just get one rule, across the board, and that rule is get a warrant. It also requires (with a few exceptions) that notice be given to the user/account holder, so that people actually know when the government goes looking through their data.

In an attempt to appease law enforcement, the bill leaves in many "exceptions," that will allow law enforcement to bypass these rules in certain cases. The bill would be stronger without these exceptions, but there's no way the bill passes without something like that in there.

As you may have realized from the name, the bill also has a section dealing with "geolocation" information. This is important because there are a bunch of ongoing fights concerning the privacy of your location data (obtained via mobile phones, GPS devices and such). As we've covered here repeatedly, the courts have been ruling every which way on the legality of law enforcement accessing this kind of data, and so the bill tries to clarify that, and puts in place prohibitions on the government intercepting location info without a warrant (with, of course, a few key exceptions -- including in an emergency, if the person gives consent or if the data is already public).

It's a good bill that deserves support. While it may not be perfect, it's a hell of a lot better than what we have now. This would be a huge step up in protecting our privacy from government intrusion, which means it's going to be an uphill battle against law enforcement interests to get it passed. That said, maybe this is finally the year when all those elected officials who claim ECPA reform is important get their act together and vote to approve real reform.

Permalink | Comments | Email This Story
]]>that-4th-amendment-thinghttps://www.techdirt.com/comment_rss.php?sid=20130307/01490322235Wed, 23 Jan 2013 20:01:00 PSTGovernment Demanding More And More Info On Google Users Without Any OversightMike Masnickhttps://www.techdirt.com/articles/20130123/12032021768/government-demanding-more-more-info-google-users-without-any-oversight.shtml
https://www.techdirt.com/articles/20130123/12032021768/government-demanding-more-more-info-google-users-without-any-oversight.shtmltransparency report, once again, highlights why we need ECPA reform in the US as soon as possible. ECPA -- the Electronic Communications Privacy Act -- is an outdated law that was supposed to be about protecting user privacy, but was written nearly three decades ago and now does exactly the opposite. Beyond being complex in ridiculous and unnecessary ways, things that were true decades ago are no longer the case. For example, the idea that emails left for 180 days on a server no longer need a warrant because under ECPA they are considered "abandoned." Whereas in the real world, where all email lives on servers for quite some time, that idea makes no sense.

Either way, the report makes clear that US government agencies are well aware that they can go trolling through Google to get information on people with little oversight. Requests -- especially requests that are purely a subpoena (with no judicial oversight) appear to continue to rise:

The largest part of that chart is the government subpoenas, meaning no judge had to look them over first:

68 percent of the requests Google received from government entities in the U.S. were through subpoenas. These are requests for user-identifying information, issued under the Electronic Communications Privacy Act (“ECPA”), and are the easiest to get because they typically don't involve judges.

Unfortunately, Congress had a chance to reform ECPA last year, and the Senate Judiciary Committee even approved it. But, right at the end of the year, Congress passed a separate bill that had been attached to ECPA reform by itself... and left ECPA reform to rot.